HHS Reports to Congress on HIPAA Compliance and Breach Notifications

HHS’s Office for Civil Rights (OCR) has posted its 2018 calendar-year reports to Congress on— (1) HIPAA privacy, security, and breach notification rule compliance; and (2) the HIPAA breach notification program. Highlights of the reports include the following:

• Compliance Report. This report provides an overview of HIPAA’s privacy, security, and breach notification rules, followed by a more detailed discussion of OCR’s enforcement process, with summaries of complaint resolutions, compliance reviews, and audits. An appendix summarizes eight resolution agreements and one civil monetary penalty proceeding from 2018. OCR notes that 77% of its complaint resolutions led to either technical assistance or corrective action. Of the compliance reviews opened in 2018, 84% resulted from large breach notifications, and 4% resulted from small breach notifications. The remaining compliance reviews stemmed from incidents brought to OCR’s attention by other means. Of the compliance reviews closed in 2018, 98% resulted from breach notifications, and a covered entity or business associate took corrective action or paid a penalty in 83% of the cases. OCR found insufficient evidence of a violation in just 4% of the cases.
• Breach Notification Report. This report begins with an overview of the notification requirements for covered entities and business associates following discovery of a breach of unsecured PHI. OCR notes that, in 2018, it received 302 large breach notifications affecting more than 12 million individuals, and 63,098 small breach notifications affecting nearly 297,000 individuals. Although health care providers filed the most reports, breaches at health plans and business associates affected more individuals. Most large breaches were caused by hacking of electronic equipment or network servers, unauthorized access to PHI, or theft. Email was particularly susceptible to large breaches, but more individuals were affected by breaches of network servers. Paper figured more prominently in small breaches, both in terms of the PHI’s location and the number of affected individuals. OCR calls out continuing issues with misdirected communications.

EBIA Comment: The reports provide a useful synopsis of enforcement activity and offer some additional insights—including the reminder that OCR opens compliance reviews for all breaches affecting 500 or more individuals. The breach notification report discusses the most common post-breach remedial actions taken to mitigate harm and provides a list of “lessons learned” (areas warranting particular attention to help avoid some common breaches). Covered entities and business associates will likely find the reports to be a useful resource in their HIPAA compliance efforts. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX (“Enforcement of Privacy, Security, and EDI Rules”) and XXV (“Breach Notification for Unsecured PHI”). You also may be interested in our webinar, “HIPAA Breaches: Preparation and Response” (recorded 9/10/20).

Contributing Editors: EBIA Staff.